Electronic circuit device for cryptographic applications

ABSTRACT

The electronic circuit executes operations dependent on secret information. Power supply current dependency on the secret information is cloaked by drawing additional power supply current. A plurality of processing circuits ( 102, 106 ) executes respective parts of the operations dependent on the secret information. An activity monitor circuit ( 12   a, b,    14 ), coupled to receive pairs of processing signals coming into and out of respective ones of the processing circuits, derive activity information from each pair of processing signals. The activity monitoring circuit ( 12   a, b,    14 ) generates a combined activity signal indicative of a sum of power supply currents that will be consumed by the processing circuits ( 102, 106 ) dependent on the processing signals. A current drawing circuit connected to the power supply connections is controlled by the activity monitor circuit ( 12   a, b,    14 ) to draw a cloaking current controlled by the combined activity signal, so that power supply current variations dependent on the secret information are cloaked in a sum of the cloaking current and current drawn by the processing circuits ( 102, 106 ).

The invention is related to an electronic circuit device, and inparticular an integrated circuit device such as a smart card, that isarranged to perform cryptographic computations.

Recently it has been realized that an analysis of the time dependence ofthe power supply current consumed by an integrated circuit could be usedto identify secret information, such as a decryption key, when thatsecret information is processed in the integrated circuit. In response,various solutions have been proposed to cloak the effect of the secretinformation on the power supply current consumption.

WO 00/26746 discloses the use of a load circuit to draw additional powersupply current in parallel with the secret information dependent powersupply current. It is proposed to use a complementary circuit inaddition to the circuit that draws secret information dependent powersupply current, which will be called the functional circuit. Thecomplementary circuit and the functional circuit contain similar circuitelements and the complementary circuit has complementary circuit nodesthat correspond to circuit nodes in the functional circuit.

In each clock cycle when the logic level of a circuit node in thefunctional circuit does not change the logic level of the correspondingnode in the complementary circuit is made to change and vice versa, whenthe logic level of a circuit node in the functional circuit does change,the logic level of the corresponding node in the complementary circuitdoes not change. Thus, the number of logic level changes in thecombination of the functional circuit and the complementary circuit doesnot depend on the secret information. As a result the sum of powersupply current consumption of the functional circuit and thecomplementary circuit is constant, independent of the secretinformation.

Other documents show power supply current regulation techniques that usea feedback loop to keep the power supply current constant. This has thesame result on the average power supply current as using complementarytransitions, but it does not cloak the difference in the pulses in powersupply current. WO 00/19366 discloses an advanced solution in whichthese pulse differences are eliminated by drawing the secret informationdependent power supply current from a capacitive internal power supplynode that is disconnected from the external power supply connection mostof the time. The internal power supply node is connected to the externalpower supply for charging only when the cumulative charge consumption bythe power supply current makes this necessary. To cloak the effect ofthe secret information on the overall power supply consumption the powersupply consumption must be regulated to a constant level.

However, a disadvantage of keeping power supply at a constant level tocloak secret information is that a fairly high level of power supplycurrent must be maintained. Other techniques have sought to overcomethis problem. U.S. Pat. No. 6,419,159 discloses the addition of randompower supply current fluctuations, rather than just complementary powersupply current fluctuations. This reduces the correlation between thesecret information and the power supply current fluctuations. WO00/63827 discloses power supply voltage regulation with a randomlyvariable power supply voltage to cloak power supply current variationsdue to the secret information. This type of cloaking, however, may stillbe sensitive to statistical techniques of analyzing the secretinformation.

Among others, it is an object of the invention to provide for cloakingof the effect of secret information on the power supply current of anintegrated circuit that is responsive to the actual effect of the secretinformation, but which is more flexible than the use of complementarynodes.

The integrated circuit according to the invention is set forth in Claim1. In the integrated circuit an activity monitor is used, which usespairs of processing signals that come into and out of processingcircuits that process secret information. The measurements of theactivity of different processing circuits are summed and the sum is usedto control a cloaking current that is drawn from the power supply so asto cloak the dependence on the secret information.

By using a sum of the activities more flexible cloaking is possible thanin the prior art solution where a complementary node is present for eachnode in the functional circuit. This reduces the power supply currentrequired for cloaking, because a transition in some circuits in thefunctional circuit can compensate the lack of a transition in othercircuits in the functional circuit, without having to generate acomplementary transition for each node in the functional circuit whereno transition occurs. The use of activity measurements makes it possibleto realize faster and more accurate cloaking than with power supplycurrent regulation.

It should be noted that in an embodiment the cloaking current drawn bythe current drawing circuit does not necessarily have the same sign asthe current drawn by the processing circuits. When the processingcircuits draw a net charging current for charging output nodes of logiccircuits, the current drawing circuits may supply a net dischargingcurrent for discharging output nodes of logic circuits and vice versa.In addition the cloaking current may include a component of constantsign. In another embodiment the entire cloaking current always has thesame sign.

In an embodiment of the integrated circuit according to the inventionthe circuit is clocked and the activity dependent cloaking power supplycurrent is supplied synchronized by the clock signal. Thus, also thepulse pattern of the power supply can be cloaked.

In another embodiment of the integrated circuit to the invention theintegrated circuit is pipelined and current drawing circuits for drawingcloaking current are provided per pipeline stage. Thus, pipeline stagespecific dependence on secret information can be cloaked.

In another embodiment the cloaking current is enabled only uponreception of a trigger signal that triggers or accompanies execution ofa secret information dependent process in the integrated circuit. Thuspower supply current drain that is not needed for cloaking is avoided.

In another embodiment a time dependent reference pattern is generated inresponse to the trigger signal and the cloaking current is adapted sothat the total of the power supply current consumed by the processingcircuits and the cloaking current varies as the reference pattern. Thus,processing of fake secret information can be simulated.

These and other objects and advantageous aspects of the invention willbe set forth using the following Figs.

FIG. 1 shows an integrated circuit

FIG. 2 shows an integrated circuit with a clock circuit

FIG. 3 shows an integrated circuit with a pipeline structure

FIG. 1 shows an integrated circuit that comprises a processing unit 10,activity detection circuits 12 a,b, an activity summing circuit 14, areference pattern generator 15, a subtractor 16 and a current drawingcircuit 18. Processing unit 10 is shown to contain a number ofinterconnected processing circuits. Two processing circuits 102, 106have inputs 110, 114 and outputs 112, 116 connecting these processingcircuits to other processing circuits. Input 110 and output 112 of afirst processing circuit are coupled to the inputs of a first activitydetection circuit 12 a. Input 114 and output 116 of a second processingcircuit 106 are coupled to the inputs of a second activity detectioncircuit 12 b. Outputs of activity detection circuits 12 a,b are coupledto activity summing circuit 14. Subtractor 16 has inputs coupled tooutputs of activity summing circuit 14 and reference pattern generator15 and an output coupled to current drawing circuit 18. Current drawingcircuit 18 and processing circuits 102, 106 receive power supply currentfrom power supply connections Vdd and Vss.

In operation activity detection circuits 12 a,b determine the amount ofactivity of processing circuits 102 and 104 from the values of the inputand output signals of these processing circuits 102, 106. Activitymeasurement is known per se, and will therefore be described onlybriefly. The amount of activity A indicates whether a processing circuit102, 106 has to generate a logic level transition. Power consumed by theprocessing circuit 102, 106 increases when activity occurs. In oneembodiment processing circuits 102, 106 are registers. In this case, theactivity occurs when the register is clocked and the input data willgive rise to output data unequal to the measured output data. In thiscase the activity A is the difference Nup-Ndown between a first numberNup of registers that makes a transition from logic low to logic highand a second number Ndown that makes a transition from logic high tologic low. Upon receiving a clock signal to make these transitions theregisters consume a power supply current pulse that provides a chargewhich is in fixed proportion to A. In another embodiment processingcircuits 102, 106 are logic gates. In this case, too, the activityoccurs when the input data of the gate will give rise to output dataunequal to the measured output data Here to the current must provide acharge proportional to Nup-Ndown. In this case the transition is notenable directly by a clock signal.

Activity summing circuit 14 sums the amounts of activity determined bythe different activity detection circuits 12 a,b and passes a net sum ofthe activity measured by the different activity detection circuits 12a,b to subtractor 16. Reference pattern generator generates a timedependent pattern (or time independent pattern) of the total powersupply current through power supply connections Vdd, Vss that should beobservable outside the integrated circuit. In a simple example thepattern requires a constant, time-independent current. Subtractor 16generates a control signal to make current drawing circuit 18 draw anamount of current substantially equal to the required current minus thecurrent that follows from the summed measured amount of currentindicated by activity summing circuit 14.

In one embodiment activity detection circuits 2 a,b each generate acurrent proportional to the difference between the input and outputsignals. In this embodiment activity summing circuit 14 forms an analognet sum current of these currents and uses a difference between areference current from reference generator 15 and the net sum current tocontrol the current drawn by current drawing circuit 18. However,without deviating from the invention activity detection circuits maygenerate digital difference signals, which are summed digitally inactivity summing circuit 14. If all processing circuits 102, 106 whoseactivity is measured have been designed to consume the same power supplycurrent upon a transition of data then all activities may be summed withequal weight.

If the processing circuits have mutually different designed currentconsumption the activities of different circuits should be weighed inthe sum, according to the current designed consumption (which depends ina known way on the Width/Length ratio's of the transistors involved).When processing circuits 102, 106 are registers it generally suffices todetermine the difference between input and output signals to detectactivity. In case the processing circuits are logic gates, some priorlogic manipulation of the input and output signals may be required todetermine activity, or more than one input and output signal may berequired to determine activity of one logic circuit.

In a digital embodiment current drawing circuit 18 may for example havethe form of any digital to analog converter (known per se), whichconverts a digitally coded value into an analog power supply current ofrequired size, e.g. by selectively activating current sources ofpredetermined current strength.

In another digital embodiment current drawing circuit 18 may comprisefor example a number of logic gates such as inverters (not shown), whoseinputs are controlled by signal subtractor 16 and which have mutuallyequal output capacitances. In one embodiment subtractor 16 controls thenumbers Nup, Ndown of these logic gates whose outputs are switched fromrespective logic levels to another, so that the sum of each of thesenumbers Nup, Ndown and the number of gates that make the same switchesin the processing circuits 102, 106 is equal to the number prescribed byreference pattern generator 15. In this embodiment the activitydetection circuits determine respective sums Nup and Ndown of thenumbers of logic level transitions for different logic levels.

In another digital embodiment subtractor 16 controls the net numberNnet=Nup−Ndown of outputs of the logic gates that are switched, so thatthe sum of this net number and the net number of gates that are switchedbetween that make the same in the processing circuits 102, 106 is equalto the number prescribed by reference pattern generator 15. Thusdischarge of capacitive charge at the output node of the gates incurrent drawing circuit 16 may be used to provide current to chargeoutput capacitances of gates in the processing circuits 102, 106 andvice versa, which leads to less power supply current consumption. Inthis embodiment the activity detection circuits need to determine onlythe net sum Nnet=Nup−Ndown of the numbers of logic level transitions fordifferent logic levels; the individual numbers Nup, Ndown need not bedetermined separately.

Preferably gates with mutually equal output capacitances are used incurrent drawing circuit 18, so that only the number matters of gatesthat is switched. In another embodiment, gates with mutually differentoutput capactances are used, for example output capacitances that differby a factor of a powers of an integer radical R like 2. In this caseeach time current drawing circuit would have to switch R logic gates ofa certain output capacitance it may switch one logic gate with an Rtimes larger output capacitance instead. This number of logic gates canbe reduced.

It will be appreciated that it is not necessary to detect activity ofall processing circuits. It suffices to measure activity of thosecircuits that are substantially affected by the secret information. Evenamong those circuits it may suffice to detect activity only of thecircuits that are most affected by the secret information, or only ofcircuits whose activity is known to be proportional to the activity ofother circuits, whose activity is not separately measured. For example,only activity of registers in a pipelined processing unit may need to bemeasured, when the activity in combinatorial logic circuits follows fromthe activity of the registers.

FIG. 2 shows a further embodiment of the integrated circuit. FIG. 2shows a clock circuit 20 coupled to processing circuits 102, 106 (whichare registers in this embodiment) and to current drawing circuit 18. Inoperation, activity detection circuits 12 a,b signal whether or not theinput signals of registers 102, 106 are such that a transition of astored value will occur in registers 102, 106 upon a clock signal. Thatis, if registers 102, 106 copy their input to their output, activitydetection circuits detect the difference between the input and output,but if the registers copy the inverse of the input to the output thedifference between the output and the inverse of the input isdetermined.

Current drawing circuit 18 draws a cloaking current pulse with a totalcharge content dependent on the net number Nup-Ndown of registers 102,106 that will make an upward transition. Current drawing circuit 18draws this current with a pulse at a time point determined by the clocksignal, so that the current pulse substantially coincides with the pulsecaused by the transition in the registers, which is also triggered bythe clock signal.

FIG. 2 also shows a connection between one of the circuits in processingunit 10 and reference pattern generator 15 to trigger generation of thereference pattern, as well as a connection from clock circuit 20 toreference pattern generator 15. In operation processing unit 10 executesa program of instructions, at least part of which involve secretinformation. Execution of successive instructions is clocked by clockcircuit 20. The program contains an instruction that, when executed,triggers the reference pattern generator. Reference pattern generatorcontains a programmed temporal pattern of a required time dependentsupply current and starts generating successive steps of this patternupon being triggered, so that the steps of the pattern occur insynchronism with execution of successive instructions of the programthat follow the instruction that triggers generation of the pattern.These successive instructions process secret information.

Thus, by using an instruction to trigger the pattern it can be ensuredthat the effect of the secret information is cloaked. In one embodiment,the programmed temporal pattern equals the pattern of activity thatwould occur when the processor would execute the instructions with agiven value of the secret information (other than the actual value), sothat it appears from the total power supply current that the given valueis processed. Although FIG. 2 shows the connections to reference patterngenerator 15 shown together with the clocking of current drawing circuit18 and application to the activity of registers 102, 106, it will beappreciated that these two changes may be applied independently of oneanother.

Similarly, it will be appreciated that the invention is not limited toexecution of programs. A secret information dependent process may beexecuted in any way (e.g. by means of a program or by means of dedicatedhardware), after being triggered by some signal in the integratedcircuit. In response to this trigger signal, or to some signal thataccompanies the process, reference pattern generator 15 is triggered togenerate the reference pattern in step with execution of the secretinformation dependent process, so as to define the total requiredcurrent. In another embodiment, the pattern is merely a constantcurrent, but the cloaking circuit from current drawing circuit 18 isactivated only during a time window of a number of clock cycles startedin response to the trigger signal, so that current drawing circuit 18 isnot or only slightly active when no secret information is processed. Itwill be appreciated that in the latter case the precise structure ofFIG. 2 is not needed: a disable/enable signal to disable/enable thecloaking current in specific clock cycles may be applied anywhere in thecloaking circuit, for example in current drawing circuit 18, or in theactivity measurement circuits.

FIG. 3 shows a further integrated circuit, wherein the processing unitcontains a number of pipeline stages, each with combinatorial logiccircuits 300, 304, 308. The combinatorial logic circuits of each pair ofsuccessive pipe-line stages is separated by a register 302, 306 forstoring one or more bits in parallel. Respective registers 302, 306define the borders between successive pipeline stages. For each borderan activity measuring circuit 30, 32, a reference pattern generator 330,334, a subtractor 332, 336 and a current drawing circuit 320, 322 isprovided. The activity measuring circuits 30, 32 are coupled to theinputs and outputs of the registers 302, 306 or at least to those of theinput and outputs that carry data bits for which it is known in advancethat they may depend on secret information.

Although only three stages of combinatorial logic 300, 304, 308 and tworegisters 302, 306 with accompanying cloaking circuits are shown it willbe appreciated that more pipe-line stages with intervening registers maybe present, each with their own cloaking circuit.

In operation each activity measuring circuit 30, 32 measures thedifference between the multiple bit inputs 310, 314 and the multiple bitoutputs 312, 316 of the register 302, 306 at a border between arespective pair of pipeline stages. The output of each activitymeasuring circuit 30, 32 is fed to a respective subtractor 332, 336,which compares the activity with a value from a reference activitypattern generated for the register of the relevant pipeline stage(generated by pipe-line stage specific reference pattern generators 330,334). The result of the comparison is fed to a current drawing circuit320, 322 for the particular stage, to cause the current drawing circuitto draw a current that cloaks the secret information of the power supplycurrent drawn by the pipeline stage. Thus, cloaking is realized perpipeline stage.

In one embodiment reference pattern generators 330, 332 are triggered insynchronism with execution of instructions in the pipe-line stage thatcause secret information dependent current to be drawn. As described,this may be realized for example by activating the cloaking circuit inresponse to a trigger signal that starts the secret informationdependent process or that accompanies that process. In this case,reference pattern generators 330, 332 for each pipeline preferablygenerate the reference pattern substantially only for those clock cyclesin which the process results in secret information dependent powersupply current in the relevant pipeline stage. (Or instead adisable/enable signal may be generated for the cloaking current of theparticular pipeline stage.) Thus, additional cloaking current needs tobe drawn only for each particular pipeline stage when that particularpipeline stage executes a secret information dependent operation. Thisreduces power supply consumption.

The current drawing circuit 320, 322 for each pipe-line stage ispreferably located close to the registers 302, 306 for the pipe-linestage for which the current drawing circuit cloaks the power supplycurrent, e.g. closer to those registers than to registers coupledbetween of non-adjacent pipeline stages. Thus, location dependency ofsecret information related currents in the integrated circuit issuppressed, which makes it more difficult to reconstruct the secretinformation.

Although cloaking circuits are shown per pipeline stage, it will beappreciated that the cloaking circuits may also be provided for groupsof pipeline stages that each form a subset of the pipeline or for thepipeline as a whole as in the embodiment of FIG. 2.

1. An electronic circuit device for executing operations dependent onsecret information, the electronic circuit device, comprising: powersupply connections; a processing unit comprising a plurality ofprocessing circuits for use in execution respective parts of theoperations dependent on the secret information, the processing circuitsbeing fed from the power supply connections; an activity monitor circuitcoupled to receive pairs of processing signals coming into and out ofrespective ones of the processing circuits, the activity monitor circuitbeing arranged to derive activity information derived from each pair ofprocessing signals, and to derive from the activity information acombined activity signal indicative of a sum of power supply currentsthat will be consumed by the processing circuits dependent on theprocessing signals; a current drawing circuit connected to the powersupply connections and controlled by the activity monitor circuit todraw a cloaking current controlled by the combined activity signal, sothat power supply current variations dependent on the secret informationare cloaked in a combination of the cloaking current and current drawnby the processing circuits.
 2. An electronic circuit device according toclaim 1, wherein the processing unit comprises a clock circuit,combinatorial logic circuits and registers clocked by the clock circuitand connected between respective parts of the combinatorial logiccircuits, the pairs of processing signals comprising pairs of input andoutput signals of the registers, the current drawing circuit beingarranged to adjust a value of the cloaking current dependent on theactivity of the registers at instants synchronized by the clock circuit.3. An electronic circuit device according to claim 2, organized as apipe-line of successive parts of the combinatorial circuits, each pairof successive parts coupled via a respective one or respective ones ofthe registers, the electronic circuit, comprising: a plurality ofactivity monitor circuits, each coupled to receive pairs of input andoutput signals of the respective one or ones of the registers between arespective pair of successive parts of the combinatorial circuits, andto derive a combined activity signal from the pairs of input outputsignals; a plurality of current drawing circuits connected to the powersupply connections, each controlled by a respective one of the activitymonitor circuits to draw a cloaking current controlled by combinedactivity signal derived by that respective one of the activity monitorcircuits.
 4. An electronic circuit device according to claim 3, arrangedto activate the current drawing circuits in selected clock cycles, whenthe corresponding pipe-line stages process secret information.
 5. Anelectronic circuit device according to claim 1, having a trigger inputcoupled to the current drawing circuit, arranged to enable drawing ofthe cloaking current only upon receiving a trigger signal that triggersor accompanies execution of a secret information dependent process inthe electronic circuit.
 6. An electronic circuit device according toclaim 1, comprising a reference current pattern generator, the currentdrawing circuit being arranged to adjust the value of the cloakingcurrent so that the combination of the cloaking current and currentdrawn by the processing circuits substantially equals a temporalreference current pattern generated by the reference current patterngenerator.
 7. A method of executing operations dependent on secretinformation in an electronic circuit, the method comprising: supplyingpower supply current to processing circuits; executing respective partsof operations that dependent on the secret information using theprocessing circuits; receiving pairs of processing signals coming intoand out of respective ones of the processing circuits; deriving activityinformation from each pair of processing signals, deriving from theactivity information a combined activity signal indicative of a sum ofpower supply currents that will be consumed by the processing circuitsdependent on the processing signals; drawing a cloaking currentcontrolled by the combined activity signal, and combining that cloakingcurrent with current drawn by the processing circuits so that powersupply current variations dependent on the secret information arecloaked in the combination of the cloaking current and current drawn bythe processing circuits.